> > Are you sure? I have net.inet.tcp.signature_verify_input = 1 and only > > one line in /etc/ipsec.conf for each BGP session using MD5 keys, on > > 8.2-STABLE. > > Hmm, you are right, it seems that my second SAD entries are not used at all. > However I'm now running with net.inet.tcp.signature_verify_input = 0, because > if I set it to 1 > the BGP sessions to my other FreeBSD routers disconnect. (and that is running > Quagga). > Am I the only one who sees this running Quagga? One difference probably is > that I have both TCP-MD5 protected > sessions and ones that are not. And the not protected sessions fail if I > start checking ingress tcp signatures.
Have a look at http://docs.freebsd.org/cgi/getmsg.cgi?fetch=452717+0+current/freebsd-net This is a nice summary of the different possibilities. And indicates, if I read it roght, that there *is* indeed a problem. My case is Quagga bgpd talking to several JunOS routers, only a single TCP session (with MD5) to each router. This works just fine. I have never attempted BGP with MD5 between two FreeBSD boxes. Steinar Haug, Nethelp consulting, sth...@nethelp.no _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
